Notes from a BFSI Hybrid Migration: An Audit Diary
Eighteen months inside a Tier-1 bank moving from a single-vendor private cloud to a regulated hybrid. The notes I kept, and what they say in retrospect.
These notes are reconstructed, with permission, from the engagement diary I kept during a Tier-1 commercial bank’s eighteen-month hybrid migration. Names are removed; sequence is preserved. Where I quote myself or a colleague, the quote is from the original notebook. The bank had a twelve-year-old private cloud built on vSphere, a passably modern security posture under Bangladesh Bank’s ICT Security Guideline, and the usual accumulated decisions that nobody remembers making. The brief was simple: move to hybrid without disturbing the audit story. The work was not.
The diary
- Mo 1Inventory shockWe thought we had 1,200 VMs. We had 1,847. The 647 untracked were the ones the regulator was going to ask about first.
- Mo 3Phase 1 starts: hypervisor + IdP consolidationTwo separate OIDC IdPs collapsed into one; vSphere clusters re-platformed onto one vCenter. Slow, unglamorous, foundational.
- Mo 5First parallel-cloud attemptRetail BU started a 'small Azure pilot'. Stopped at the architecture-review board, redirected onto the platform.
- Mo 7Phase 2: data lake on sovereign IaaSIceberg + Parquet on BDIX-peered storage. Cheaper than the Singapore option by ~38% on TCO; latency to dashboards collapsed.
- Mo 11BB on-site audit visitReviewed the consolidated CMDB, the FIDO2 PAM logs, the data-flow map. Auditor asked the data-flow questions first; we had answers.
- Mo 14Phase 3: customer-data workloadsChannels and fraud-detection moved to sovereign IaaS. BDT-billed. Identity federation took six weeks longer than planned. It always does.
- Mo 17Phase 4: public-cloud carve-outsCDN, ML inference for English-language summarisation, out-of-country DR for non-regulated systems. Tight scope, tight gates.
- Mo 18Steady state45% private · 28% sovereign · 17% analytics · 10% public. Audit findings: zero.
Source: Reconstructed from engagement notes; details anonymised.
Where each phase landed
Source: Single-engagement actuals; identity federation explains the Phase 3 slip.
The conversations the diary did not capture
The diary captures decisions, but the conversations between decisions are where the programme actually lived. The most consequential of these were not technical. They were the moments — usually at month four, eight, and twelve — when the platform team’s credibility was on the line with a sceptical BU head who needed to ship something the regulator would tolerate and finance would pay for. We learned, slowly, that those conversations went better when the platform team showed up with the data flow map, the chargeback table, and the FIDO2 PAM logs already printed; the BU head typically arrived assuming the platform team had not done the work, and the evidence was its own argument.
What the BB visit actually asked for
The visit at month eleven was the most consequential single event of the programme. Not because the auditor found anything — they did not — but because the questions they asked told us, definitively, where the next nine months of investment should go. The first hour was about the data flow map: where personal data of customers entered the system, where it was processed, where it sat at rest, where it left, and what controls applied at each boundary. The second hour was about privileged access: who had it, how it was bounded in time, how the records survived the session. The third hour was the asset inventory. The order was not accidental.
What the diary says in retrospect
Three things stand out reading it back. First, the inventory shock at month one was the most consequential single event of the programme — it forced the platform team and the audit function into the same room, and they have not left since. Second, Phase 1 felt slow at the time and bought us twelve months on every subsequent phase. Third, the BB visit at month eleven was decisive: a programme that cannot show its data-flow map at month eleven is a programme that will be writing one in panic at month twenty-four.
What I would do differently
Two things. I would budget twice as long for identity federation in Phase 3, because every BFSI programme I have seen over-runs that step. And I would invest earlier in operational runbooks — by Phase 3, the platform team was running production for systems they had not designed, and the absence of crisp runbooks was felt every time an incident escalated past the on-call rotation.
Read next
- BFSI
The Audit That Goes Wrong: A Cautionary Walk Backwards
A composite incident, traced backward through the controls that should have prevented it. What was missing at each step, and what would have caught it.
- Cloud Strategy
Five Truths About Building a Sovereign Cloud in Bangladesh
Hard-won lessons from the field — what every newcomer underestimates about the licensing, the customer, the currency, and the country.
- Cloud Strategy
A Letter on the Bangladesh Cloud Economy
Annual letter to the Cloud Digit board on the shape, drivers, and trajectory of the Bangladeshi cloud market. Written in the long-form-thesis style that serious investors actually read.